diff options
| author | Anton Khirnov <anton@khirnov.net> | 2019-12-14 22:09:58 +0100 |
|---|---|---|
| committer | Anton Khirnov <anton@khirnov.net> | 2019-12-14 22:09:58 +0100 |
| commit | afddf90fa0a06aefe3dc9e51e8deeba7744a3e0e (patch) | |
| tree | 3b07f4c734db75476e0dc8af7ae4c2a51ea39ad3 | |
| parent | c861cbb0c977a19d7c4c3017f1f80348bf80b6b3 (diff) | |
nginx_config: use separate server blocks for ingesting and serving media
| -rw-r--r-- | nginx_config | 59 |
1 files changed, 39 insertions, 20 deletions
diff --git a/nginx_config b/nginx_config index 8c1f13e..6e30ad4 100644 --- a/nginx_config +++ b/nginx_config @@ -5,30 +5,54 @@ upstream dash_server_py { server [::1]:8000; } +# this server handles media ingest +# authentication is handled throught TLS client certificates +server { + # network config + listen [::]:8001 ssl default_server; + server_name <server name>; + + # server's TLS cert+key + ssl_certificate <path to TLS cert>; + ssl_certificate_key <path to TLS key>; + #ssl_dhparam <path to DH params, optional>; + + # source authentication with TLS client certificates + ssl_client_certificate <path to CA for client certs>; + ssl_verify_client on; + + # only allow upload requests + # TODO: handle DELETE + if ($request_method !~ ^(POST|PUT)$) { + return 405; # Method Not Allowed + } + + root <path to site root>; + + # define parameters for communicating with dash_server.py + # enable chunked transfers + proxy_http_version 1.1; + proxy_buffering off; + proxy_request_buffering off; + # finish the upload even if the client does not bother waiting for our + # response + proxy_ignore_client_abort on; + + location /live/ { + proxy_pass http://dash_server_py; + } +} + server { # network config listen [::]:80 default_server; + server_name <server name>; # tweak to your site and uncomment for TLS #listen [::]:443 ssl; #ssl_certificate <path to TLS cert>; #ssl_certificate_key <path to TLS key>; - #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; #ssl_dhparam <path to DH params, optional>; - # optional, verify the client certificate for authenticated uploading - #ssl_verify_client optional; - #ssl_client_certificate <path to CA for client certs>; - #if ($request_method ~ ^(POST|PUT)$) { - # set $reject "1"; - #} - #if ($ssl_client_verify = "SUCCESS") { - # set $reject "0"; - #} - #if ($reject = "1") { - # return 403; - #} - - server_name dash; root <path to site root>; @@ -50,11 +74,6 @@ server { } location /live/ { - - limit_except GET { - proxy_pass http://dash_server_py; - } - try_files $uri @dash_server; } |